b'Office of the Inspector General\nSkip to content\nSocial Security Online\nOffice of the Inspector General\nwww.socialsecurity.gov\nHome\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Questions?\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Contact\nUs\nSearch\nAbout\nHotline\nOffices\nResources\nEspa\xc3\xb1ol\nOIG Home\nAudit\nReport - A-13-96-51001\nOffice\nof Audit\nInspector General`s Report on SSA`s\nFiscal Year 1996 Financial Statements\nA-13-96-51001\nThe Chief Financial Officers (CFO) Act of 1990, as\namended by the Government Management Reform Act (GMRA), requires\nagencies to report annually to the Congress their financial status\nand any other information needed to fairly present the agencies` financial\nposition and results of operations. To meet GMRA reporting requirements,\nthe Social Security Administration (SSA) prepares annual financial\nstatements which we audit.\nThe objectives of our audit were to express an opinion\non the fair presentation of SSA`s Fiscal Year (FY) 1996 principal\nfinancial statements taken as a whole, test the Agency`s internal\ncontrol structure, and assess its compliance with applicable laws\nand regulations that could have a material effect on its annual financial\nstatements. This report presents the results of our audit of SSA`s\nfinancial statements, internal controls, and compliance with laws\nand regulations.\nAs part of its FY 1996 audit efforts, the Office of\nthe Inspector General (OIG) reviewed SSA\xc2\x92s separation of duties\ncontrols for the Modernized Supplemental Security Income Claims System\n(MSSICS), the Modernized Claims System (MCS), and the Manual Adjustment\nCredit and Award Data Entry (MACADE) system. These three systems\nallow SSA workers to process Social Security and Supplemental Security\nIncome (SSI) benefit payments. Based on the collective results of\nthese reviews, we determined that SSA\xc2\x92s primary benefit payment\nsystems lack sufficient compensating controls to accommodate for\nthe lack of separation of duties in the above systems.\nAs in previous OIG reports, we continue to report the\nfollowing:\nthe SSA\xc2\x92s title XVI overpayment system\nstill contains systemic weaknesses which prevent its compliance\nwith Federal internal control standards;\nthe SSA is not complying with 20 Code of Federal\nRegulations (CFR) \xc2\xa7416.558(a) to provide title XVI recipients overpayment\nnotification; and\nthe SSA is not performing a sufficient number\nof continuing disability reviews (CDR) as required by section 221(i)\nof the Social Security Act.\nOPINION ON FINANCIAL STATEMENTS\nWe have audited the accompanying combined statements\nof financial position of SSA as of September 30, 1996 and 1995, and\nthe related combined statements of operations and changes in net\nposition, and cash flows for the FYs then ended. These statements\nare the responsibility of SSA`s management. Our responsibility\nis to express an opinion on these statements based on our audit.\nWe conducted our audit in accordance with generally\naccepted government auditing standards and the Office of Management\nand Budget (OMB) Bulletin 93-06, "Audit Requirements for Federal\nFinancial Statements." These standards require that we plan\nand perform the audit to obtain reasonable assurance about whether\nthe financial statements are free of material misstatement. An audit\nincludes examining, on a test basis, evidence supporting the amounts\nand disclosures in the financial statements. An audit also includes\nassessing the accounting principles used and significant estimates\nmade by management, as well as evaluating the overall financial statement\npresentation. We believe that our audit provides a reasonable basis\nfor our opinion.\nIn our opinion, the accompanying combined financial\nstatements present fairly, in all material respects, the financial\nposition of SSA at September 30, 1996 and 1995, and the results of\nits operations, changes in net position, and cash flows for the FYs\nthen ended, in accordance with the accounting principles described\nin Note\xc2\xa01 to the financial statements.\nOur audit was conducted for the purpose of forming\nan opinion on the financial statements described above. The presentation\nof the financial statements includes an Overview of SSA and the Supplemental\nFinancial and Management Information, which are the responsibility\nof SSA`s management. We have reviewed the Overview of SSA and\nthe Supplemental Financial and Management Information to determine\nthat they are not materially inconsistent with the information in\nthe combined financial statements. We also assessed the risk that\nsystems used to produce the performance measures in the Overview\ndid not report actual and complete information. However, such information,\nincluding financial estimates, has not been subjected to the auditing\nprocedures applied in the audit of financial statements described\nabove and, accordingly, we express no opinion on the Overview of\nSSA and the Supplemental Financial and Management Information.\nBack to top\nREPORT ON INTERNAL\nCONTROLS\nIn performing our tests of internal controls as part\nof our FY\xc2\xa01996 financial statement audit, we identified two\nweaknesses involving SSA`s internal control structure and operations\nthat we consider to be reportable conditions under standards established\nby OMB Bulletin 93-06 and/or the Federal Managers` Financial\nIntegrity Act (FMFIA). We have summarized these conditions below.\nWe believe the two weaknesses are material under FMFIA criteria.\nThese weaknesses are not, however, material to the financial statements\ntaken as a whole.\nInsufficient Separation of Duties or Compensating\nControls in On-line Systems\nThe SSA\xc2\x92s operating environment is highly automated.\nMany of the Agency\xc2\x92s systems modernization efforts have resulted\nin SSA processing claims and/or postentitlement actions on-line without\nthe traditional multiple levels of review. In essence, this reengineering\nor streamlining of business processes has empowered SSA workers with\nincreased processing capabilities in order to meet the Agency`s\ngoal of providing world-class service. An inherent risk associated\nwith moving to an environment where employees have more on-line access\nand processing power is that workers will perform incompatible functions\nwhich would allow them to perpetrate and conceal errors or irregularities.\nThe General Accounting Office (GAO) provides that there\nshould be separation of duties between incompatible functions to\nprevent an individual from introducing an error or irregularity into\nthe system and concealing it. The main purpose for separation of\nduties is to reduce the risk of fraud and abuse. The extent to which\nduties are segregated depends on the size of the organization and\nthe risk associated with its facilities and activities. Where separation\nof duties is not operationally feasible, compensating controls need\nto be implemented to safeguard operations. However, in an automated\nenvironment, separation of duties cannot always be accomplished.\nOther alternative controls can compensate for lack of separation\nof duties, if they achieve the same goal.\nThe OIG\xc2\x92s FY 1996 audit coverage included audits\nfocusing on separation of duties controls for certain functions in\nthree of the on-line systems through which SSA employees can modify\na beneficiary\xc2\x92s or recipient\xc2\x92s record. Collectively, the\nresults of our audits indicate that there are insufficient separation\nof duties or compensating controls to reduce, to an acceptable level,\nthe risk of undetected errors and/or irregularities in MSSICS, MCS,\nand MACADE systems--the automated systems for processing Social Security\nand SSI benefit payments.\nWe recognize that SSA is committed to use the latest\non-line technology, increase efficiency, ensure timely claims processing,\nand use fewer people to perform more tasks. However, the desire to\nobtain operational efficiency does not negate SSA\xc2\x92s responsibility\nto design and maintain an internal control structure that provides\nreasonable, but not absolute assurance that funds, property, and\nother assets are safeguarded against waste, loss, and unauthorized\nuse or misappropriation. Therefore, where it is not operationally\nfeasible for SSA to implement separation of duties controls, the\nAgency should implement compensating controls to minimize the risk\nof undetected errors and/or irregularities.\nSummaries of each of the audits are provided below.\nThe results of two of the audits will be issued shortly. The other\nreport was issued on September 23, 1996, but its distribution is\nlimited to authorized officials. We believe the recommendations contained\nin each report will reduce SSA`s risk of fraud while allowing\nSSA to achieve its operational and service delivery needs in an efficient\nmanner. Because there may be additional separation of duties concerns\nin other SSA on-line systems, we plan to conduct additional audits,\nsuch as our audit of the Critical Payment System.\nMSSICS\nThe MSSICS is a complex automated system developed\nto enhance the application process for SSI benefits. One objective\nof our review of MSSICS focused on separation of duties controls\nfor the claims-taking process. The results of our review indicated\nthat SSA implemented several manual controls. However, these compensating\ncontrols could not prevent or timely detect an SSA claims representative\nfrom filing an application for a Social Security number (SSN) based\non fraudulent, questionable, or nonexistent documentation and subsequently\nfiling a claim for SSI benefits under that same SSN.\nAccording to SSA security personnel, the Agency has\ndeveloped an enumeration edit check program to prevent the same person\nfrom processing an SSN application and filing a claim for benefits.\nThis edit, however, has not yet been implemented.\nMCS\nThe MCS is an automated system which allows a single\nemployee to process initial claims using a series of on-line screens.\nThe objective of our follow-up audit was to evaluate SSA`s progress\nin implementing recommendations from a previous Department of Health\nand Human Services/Office of Inspector General (HHS/OIG) report which\nreviewed separation of duties controls in MCS. The SSA has partially\nimplemented the recommendations suggested in the previous HHS/OIG\nreport. However, weaknesses in SSA procedures remain because sufficient\ncontrols do not exist through separation of duties or compensating\ncontrols. As a result, SSA employees can add false claims to existing\naccounts through improper use of existing, unknown/missing, or false\nSSNs.\nMoreover, improper use of SSNs is not likely to be\ndetected by SSA`s Title II Integrity Review. The review`s\nscope does not adequately focus on potentially fraudulent situations,\nemphasize verification of claims information to independent sources,\nor otherwise provide summary management information.\nMACADE\nThe MACADE is an on-line data entry input system designed\nto enter transactions into the Manual Adjustment Credit and Award\nProcess (MADCAP) system. Prior to MACADE, transactions were originated\nin paper form and batch processed. The MADCAP and MACADE are used\nin program service centers (PSC) but not field offices. The objective\nof our review of MACADE was to identify control weaknesses which\nallow misappropriations to occur and remain undetected. The results\nof our audit efforts at the Northeastern Program Service Center (NEPSC)\nindicated control weaknesses within MACADE which allow PSC workers\nto enter and conceal erroneous data. Specifically, a benefit authorizer\nat NEPSC was able to execute multiple actions in MACADE/MADCAP to\ngenerate payments of approximately $332,000 into various bank accounts\ncontrolled by himself and his accomplices between April 1994 and\nMarch 1995.\nIn a May 15, 1995 memorandum, we alerted SSA of the\nneed to implement control procedures to prevent the recurrence of\nthis type of fraudulent activity. The SSA responded with both interim\nand long-term solutions which we support. However, in our September\n23, 1996 report on MACADE, we recommended additional system modifications\nto further strengthen internal controls to deter and prevent fraud.\nThe nature of the additional recommended corrective actions is sensitive\nand confidential. For security reasons, specific details describing\nhow the fraud was perpetrated and the recommended preventive measures\nare not provided. In general, SSA agreed with the recommendations.\nSummary\nThe pervasive occurrence of the lack of separation\nof duties and/or compensating controls where employees can enter\nand conceal errors or irregularities in SSA\xc2\x92s on-line systems\nleads us to believe that this condition is reportable as a material\nweakness under FMFIA reporting criteria. Under FMFIA, a material\nweakness is a deficiency that the agency head determines to be significant\nenough to be reported outside of the agency. As provided in OMB Circular\nA-123, it is management`s prerogative to report management control\ndeficiencies based on the citation`s use of the term "material\nweakness."\nIn each of the above reports, we have recommended or\nplan to recommend actions to strengthen SSA`s separation of duties\ncontrols and/or to implement compensating controls. We make no additional\nrecommendations on resolving separation of duties issues in this\nreport, but affirm our support of the recommendations we are making\nin the other reports. Also, the conditions described above may not\nbe limited to MSSICS, MCS, and MACADE, since many of SSA`s benefit\npayment programs are on-line.\nBack to top\nRecommendation\nWe recommend that SSA:\n1. report this condition as a material weakness under\nFMFIA.\nSSA Comments and OIG Response\nIn its written response to our draft report (see\nAPPENDIX), SSA disagreed with our identification of the separation\nof duties issue as a material weakness. The SSA comments cited\nthat while millions of transactions were processed by the 3 identified\nsystems, only 23 of the 65,000 SSA employees were referred to OIG\nfor investigation of fraud. The SSA also identified controls it\nfelt compensated for the lack of separation of duties--the Audit\nTrail System (ATS), periodic reviews by the regional security staffs,\nand publicizing the detection and prosecution of fraud cases.\nWe agree that there have not been a large number\nof employee cases referred to OIG for fraud investigation. However,\nthe number of referred cases represents only the detected cases.\nWe believe the actual incidence of fraud within SSA is higher than\nthe detected cases. Also, our determination that the lack of separation\nof duties was a material weakness under FMFIA was based on the\nrisk of loss--not the actual known losses. We believe it is in\nthe best interest of SSA to implement preventive measures now rather\nthan to risk accumulating actual losses before enacting necessary\ncontrols.\nWe also disagree with SSA`s assessment of the\ncompensating controls it cited. The ATS neither prevents nor detects\nfraud, but rather allows investigators to determine the extent\nof the fraud by permitting the identification of the transactions\nprocessed by an individual after the fraud is uncovered. The reviews\nconducted by the regional security staffs were not designed to\ndetect employee fraud nor were they sufficiently routine to act\nas an effective deterrent. Lastly, the publicizing of fraud cases\nwhich have been detected and prosecuted, in our opinion, has only\nminimal effect as a deterrent.\nAccounts Receivable\nAs previously reported, SSA has reported its Debt Management\nSystem (DMS) as a material weakness under FMFIA reporting criteria\nsince FY 1991. The SSA disclosed that the underlying systems which\ngenerate accounts receivable did not permit the Agency to identify\nhow much is owed or how much has been collected. Since the initial\nreporting, SSA has undertaken an extensive project to reengineer\nand modernize its DMS. In its debt management transition plans, SSA\nidentified eight corrective measures for the title II system and\nfive for the title XVI system. Each of the planned corrective actions\nrequired numerous systems revisions and upgrades.\nAs part of our review of SSA\xc2\x92s status of correcting\nthis material weakness, we reviewed the Agency\xc2\x92s title II transition\nplan and systems validation documentation to determine what corrective\nmeasures were planned for FY\xc2\xa01996 and what measures were placed\nin operation. Our inquiries indicated that by the end of September\xc2\xa01996,\nSSA had implemented three additional systems corrections that allowed\nthe overpayment systems to:\nstore actual monthly withholding amounts;\ncapture source document, indebtedness, and\ncash collection details; and\nensure data elements are consistent with accounting\nguidelines.\nThe remaining corrective measures are aging of debt\nand month-to-month accounting--the ability to identify the accounting\nmonth to which a particular overpayment amount relates. The SSA developed\nsoftware for aging debt and anticipates producing the first aging\nreport in December 1996. The SSA does not anticipate providing month-to-month\naccounting until the Year 2000 because of the high degree of dependence\non other SSA initiatives to modernize its title II programmatic systems.\nAs a result of the three 1996 enhancements and SSA\xc2\x92s\nprior implementation of three additional corrective measures, SSA\nmanagement believes it has sufficiently corrected the title II overpayment\nsystem\xc2\x92s material weakness. Although SSA contends that it has\nmade systems enhancements to address most of the internal control\ndeficiencies in the title II system, the timing of the systems enhancements\ndid not provide us sufficient time to test the effectiveness of these\ncontrols. Accordingly, we can neither concur nor take exception with\nSSA\xc2\x92s determination.\nThe title XVI overpayment system, however, remains\na material weakness under FMFIA because it cannot generate reliable\naccounts receivable data. Most of SSA\xc2\x92s corrective action has\nfocused on the title II system with little attention being given\nto the title XVI systems. The five corrective measures for the title\nXVI system remain unaddressed and many of the planned enhancements\nremain unscheduled.\nIn the past, we recommended that SSA continue to address\nsystems deficiencies and accounting issues in the implementation\nof both the title II and title\xc2\xa0XVI DMS. Accordingly, we make\nno recommendations regarding the title II system, but reaffirm our\nprior recommendations regarding the title XVI system.\nSSA Comments\nThe SSA generally concurred with our finding.\nOther Matters Under OMB Bulletin 93-06, we are not responsible for\nauditing the information presented in the Overview and Supplemental\nInformation sections of the Accountability Report. Our responsibilities\nare limited to assessing the risk that systems used to produce performance\nmeasures in the Overview did not report actual and complete information.\nA recent SSA report entitled, "The Report of the Management\nInformation Partnership Team," indicated that some of the data\non which performance measures are based may have been inappropriately\nmanipulated in SSA field offices to indicate better operating efficiency\nthan actually occurred. The report listed 57\xc2\xa0allegations of\ninappropriate practices designed to distort management information.\nWe believe these allegations raise doubt about the accuracy of certain\nperformance measures. The affected performance measures are limited\nto those measures reported under (1) SSA`s goal to provide world-class\npublic service in the Overview and (2) the Supplemental Financial\nand Management Information.\nThe SSA`s management believes that the allegations\ndo not materially affect the accuracy of the performance measures\nat the national level. We were informed by SSA management that they\nhad performed an analysis of the five most prevalent allegations\nto support this conclusion. The SSA, however, was unable to provide\nus with the analysis.\nThe report contained a number of recommendations to\naddress the inappropriate practices identified in the study. The\nSSA is currently studying the report and is developing a number of\nworkgroups to address the identified inappropriate practices. The\nSSA`s management has not, as yet, formally responded to the report\nissued in June\xc2\xa01996.\nWe have not determined the validity of the report`s\nallegations or the extent of the effect the inappropriate practices\nmay have on SSA`s performance measures. We plan to perform audit\nwork in this area in FY 1997.\nBack to top\nREPORT ON COMPLIANCE\nWITH LAWS AND REGULATIONS\nOur review found that SSA had complied with the terms\nand provisions of relevant laws and regulations for the tested transactions\nthat could materially affect SSA`s principal financial statements.\nWe noted the following nonmaterial but reportable matters.\nNoncompliance with Legal Requirements to Notify\nBeneficiaries of Due Process Rights\nOur FY 1995 Management Letter detailed SSA\xc2\x92s noncompliance\nwith legal requirements (20 CFR \xc2\xa7416.558(a)) to notify certain title\nXVI recipients of new overpayments and collection decisions when\nthere is an existing overpayment in collection status on their records.\nThe SSA estimated there were as many as 3\xc2\xa0million instances\nof voided overpayment collection transactions where recipients had\nnot been notified of approximately $345\xc2\xa0million of overpayments\nposted to their records since 1983.\nWe previously recommended that SSA modify its system\nto properly generate notices, and that SSA implement a manual control\nto properly notify SSI recipients of such decisions. The SSA has\nimplemented a programmatic change to eliminate the voiding problem\nand prevent future incidents of recipients not receiving the requisite\noverpayment notification. Notwithstanding these corrective measures,\nwe have identified no SSA efforts to contact those title XVI recipients\nalready affected by voiding. We do not believe that successfully\nmodifying the title XVI systems to notify future recipients eliminates\nSSA\xc2\x92s obligation to inform title XVI recipients who did not\npreviously receive proper notification.\nRecommendation\nWe recommend that SSA:\n2. in consultation with the Office of the General\nCounsel, take such action as is necessary to rectify its continuing\nnoncompliance with laws and regulations in this regard.\nSSA Comments and OIG Response\nIn its response, SSA stated it believes the implementation\nof the systems changes eliminates its continuing noncompliance\nproblem. However, SSA agreed to investigate relevant statutory\nrequirements and pursue notification accordingly for the previously\naffected SSI population.\nWe continue to believe that a noncompliance exists\nfor the previously affected SSI population.\nContinuing Disability Reviews\nAs previously reported, SSA still does not fully comply\nwith section\xc2\xa0221(i) of the Social Security Act, which requires\nthat SSA perform periodic reviews to determine beneficiaries` continued\neligibility for title II disability benefits. These reviews were\ntraditionally accomplished by referring nearly all disabled beneficiaries\nto State disability determination services (DDS). The DDSs conduct\nmedical CDRs to reexamine the medical conditions of disabled beneficiaries\nand determine their continued eligibility. However, resource limitations\nand increased workloads in claims processing resulted in a substantial\nbacklog of CDRs not yet performed.\nTo address the backlog problem, SSA began using a mailer\nprocess which profiles beneficiaries as to the likelihood of their\nmedical improvement and refers those most likely to improve to a\nState DDS for a medical CDR. We believe SSA is taking the right approach\nin addressing the title II backlog.\nIn the past, we expressed concern about requirements\nextending SSA`s CDR responsibility to cover title XVI recipients.\nSection 208(a) of the Social Security Independence and Program Improvements\nAct of\xc2\xa01994 requires CDRs for at least 100,000 title XVI cases\nannually from FY 1996 to FY 1998. Because of the extensive backlog\nthat existed prior to SSA\xc2\x92s responsibility for title XVI CDRs,\nwe were concerned that the additional mandate would further exacerbate\nthe backlog. As such, we recommended that SSA obtain additional funding\nto perform CDRs.\nUpon SSA\xc2\x92s request for funding to limit growth\nof the CDR backlog, the Congress approved legislation (Public Law\n(P.L.) 104-121) that allows an increase in discretionary spending\ncaps for FYs 1996 through 2002 to fund the cost of processing additional\nCDRs. The Congress added $60 million and $160 million to the base\namount of $200\xc2\xa0million for FYs 1996 and 1997, respectively.\nIn our assessment of SSA`s compliance with the\nSocial Security Act and the Social Security Independence and Program\nImprovements Act of 1994, we reviewed SSA`s status in reducing\nits backlog of title II cases and the Agency`s compliance with\ntitle\xc2\xa0XVI CDR requirements. In FY 1996, SSA performed 355,000\ntitle II CDRs (an increase of 151,000 from the FY 1995 figure of\n204,000). The number of title XVI CDRs performed in FY\xc2\xa01996\nwas 163,000. Despite the increase in the number of CDRs performed\nby SSA, a substantial backlog of approximately 1.8 million title\nII CDRs remains. According to SSA, it is unlikely that the Agency\nwill perform 400,000 of the 1.8 million backlogged CDRs because it\nwould not be cost-effective. In regard to title XVI CDRs, SSA met\nand exceeded the 100,000 CDRs required by P.L. 103-296. Therefore,\nthe only noncompliance issue with CDR requirements is for title II\ndisability cases.\nAs in prior audit reports, we reaffirm our support\nof SSA\xc2\x92s continued use of the CDR mailer process which aids\nin the identification of individuals due a CDR, and our suggestion\nto expand the mailer process to include all beneficiaries overdue\na CDR. We make no additional recommendations in this report, but\ncontinue to support our previous recommendations.\nSSA Comments\nThe SSA agreed with our finding.\nBack to top\nMANAGEMENT`S\nRESPONSIBILITIES\nPursuant to the reporting guidance developed by the\nPresident`s Council on Integrity and Efficiency and the American\nInstitute of Certified Public Accountants, the following is a discussion\nof the responsibilities of both management and auditor under the\nCFO Act as amended.\nThe SSA`s management is responsible for designing\nand maintaining an internal control structure that provides reasonable,\nbut not absolute, assurance that the following objectives are met:\nobligations and costs are in compliance with\napplicable laws and regulations;\nfunds, property, and other assets are safeguarded\nagainst waste, loss, and unauthorized use or misappropriation;\nassets, liabilities, revenues, and expenditures\napplicable to Agency operations are properly recorded in order\nto maintain accountability and to permit the preparation of reliable\nfinancial and statistical reports; and\ndata that support related performance measures\nare properly recorded and accounted for to permit preparation of\nreliable and complete performance information.\nAUDITOR`S RESPONSIBILITIES AND METHODOLOGIES\nOur responsibilities are to:\nexpress an opinion as to the fair presentation\nof SSA`s principal financial statements;\nreport the results of our review of SSA`s\ninternal control structure, and the extent to which its weaknesses\nmay materially affect the financial statements taken as a whole;\nreport the results of our related tests of\nSSA`s compliance with applicable laws and regulations that\ncould materially affect the principal financial statements; and\nobtain an understanding of SSA`s internal\ncontrol structure related to performance measurement data, assess\nrelated risks, but not test the underlying data, and report significant\ninternal control weaknesses.\nWe performed tests of applicable internal controls\nand compliance with laws and regulations to determine the extent\nof our auditing procedures necessary for expressing an opinion on\nSSA`s principal financial statements, and to report our findings\nresulting from our controls and compliance testing and not to express,\nand we do not express, separate opinions about the adequacy of the\ninternal control structure or compliance with laws and regulations.\nOur work was performed from March 1996 to November 1996 in accordance\nwith generally accepted government auditing standards and OMB Bulletin\n93-06, "Audit Requirements for Federal Financial Statements."\nBecause of inherent limitations in any internal control\nstructure, losses, noncompliance, or misstatements may, nevertheless,\noccur and not be detected. Also, projection of any evaluation of\nthe internal control structure to future periods is subject to the\nrisk that controls may become inadequate because of changes in conditions\nor that the degree of compliance with controls may deteriorate. Our\nconsideration of the internal control structure would not necessarily\nidentify all matters in the internal control structure that might\nbe considered a reportable condition.\nTo fulfill these responsibilities, we:\nreviewed the appropriate GAO, SSA, OIG, and\nother reports relative to the scope of our financial statement\naudit;\nreviewed financial management systems reports\nprepared by independent auditors for SSA`s reporting requirements\nunder FMFIA;\nclassified significant internal control policies\nand procedures into six categories corresponding to SSA`s accounting\nsystems:\nAccounts Receivable;\nInvestment Activities;\nLand, Building, and Equipment;\nRevenues (Financing);\nBenefit Payments; and\nExpenses;\nobtained an understanding of the design of\nrelevant policies and procedures and whether they had been placed\nin operation;\nassessed control risk;\nerformed control tests on each of the categories\nlisted above on a selected basis;\ntested compliance with selected provisions\nof the following laws and regulations which may materially affect\nthe financial statements or are specified in OMB Bulletin 93-06:\nthe CFO Act of 1990, as amended by GMRA;\nComputer Security Act of 1987;\nthe FMFIA;\nthe OMB Bulletin 94-01;\nSocial Security Act, as amended; and\nPublic Laws 93-66, 94-241, 99-643, 103-296 and\n104-134; and\nreviewed internal controls pertaining to the\nexistence and completeness assertions for systems producing performance\nmeasures in the Overview of SSA.\nDavid C. Williams\nInspector General\nSocial Security Administration\nNovember 22, 1996\nBack to top\nSOCIAL SECURITY\nMemorandum\nDate: November 8, 1996 \xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0 Refer\nTo: S1J-1\nTo: David C. Williams\nInspector General\nFrom: Shirley S. Chater\nCommissioner of Social Security\nSubject: Office of Inspector General Draft Report, "Inspector\nGeneral`s Report on the Social Security Administration`s\nFinancial Statements" (A-13-96-51001)--INFORMATION\nAttached are our comments on the subject report.\nAttachment:SSA Response\nCOMMENTS ON THE OFFICE OF INSPECTOR GENERAL DRAFT\nREPORT, "INSPECTOR GENERAL`S REPORT ON THE SOCIAL SECURITY\nADMINISTRATION`S FINANCIAL STATEMENTS" (A-13-96-51001)\nWe appreciate the efforts of the Office of Inspector\nGeneral (OIG) to review the Social Security Administration`s\n(SSA) financial statements for fiscal year (FY) 1996. Our comments\non the respective report sections are included below.\nReport on Internal Controls\nSeparation of Duties or Compensating Controls in\nOn-line Systems\nWe agree that it is important to take all reasonable\nmeasures to prevent the occurrence of fraud with regard to the programs\nadministered by SSA. The agency has zero tolerance regarding employee\nfraud, and has, and continues to take, proactive steps to prevent\nemployee fraud and misconduct. We recognize that the internal controls\nfor our operational systems can always be improved, and we are working\nto make significant improvements to the controls in our systems.\nWe are concerned about any suggestion of reporting\nthe internal control matters presented in this report section as\na material weakness. We do not believe the facts presented in this\nreport, or the three prior reports discussed, support such a recommendation.\nThe three systems discussed in the report processed over 10 million\ntransactions in FY 1996. Over 99.9 percent of those transactions\nwere processed without any security violations. Approximately 7.2\nmillion initial claims were processed through these systems in FY\n1995, and of those, only 410 cases of fraud were found. This represents\nless than six thousandths of one percent. With respect to employee\nfraud, in FY 1996 SSA employed about 65,000 employees, however, only\n23 cases of employee fraud were referred to OIG for investigation.\nThis represents less than four one-hundredths of one percent of SSA`s\nemployees. These figures clearly demonstrate that our internal controls\nare reasonable.\nAbout compensating controls, we agree that in today`s\nautomated environment, such controls are necessary to reduce the\nrisk of fraud. Each of the systems mentioned in this report writes\nrecords to our Audit Trail System (ATS). As a result, SSA employees\nknow that actions taken through these systems are attributed to them.\nWe believe this ATS process constitutes a significant compensating\ncontrol.\nWe also believe effective compensating controls must\ninclude controls outside the automated environment. Our regional\nsecurity staffs conduct periodic reviews of SSA offices, during which\nstaff data entries are checked for accuracy and appropriateness.\nThis manual control has a deterrent effect. We have also implemented\nseveral initiatives that help to deter fraud as part of our tactical\nplan item, Combating Fraud. These initiatives include increased communication\nthat fraud is being detected, perpetrators are being successfully\nprosecuted, and resources dedicated to combat fraud, including the\nprovision for additional OIG investigative staff, are being increased.\nSuch compensating controls, including an active, dedicated OIG investigative\npresence, may constitute a greater fraud deterrence than available\nautomated controls.\nOther Matters Relating to Separation of Duties and\nCompensating Controls In On-line Systems\nThe report refers to an enumeration edit check program\nto prevent an SSA employee from processing a fraudulent application\nfor a Social Security Number (SSN), and then processing a fraudulent\nsupplemental security income (SSI) claim under the fraudulent SSN.\nSuch an edit program has not been planned for the enumeration system.\nInstead, the needed fraud deterrence and identification will be built\ninto the Comprehensive Integrity Review Process, which will compare\naudit trails from the enumeration and SSI claims systems for certain\ncases.\nOIG Note\nMaterial was deleted from SSA`s comments relating\nto a recommendation in the draft report that was changed in the\nfinal report.\nAccounts Receivable\nAs indicated in the OIG report, actions are underway\nat SSA to enhance the ability of the Debt Management System to generate\nreliable accounts receivable data for both Title II and Title XVI.\nOIG does not offer any new recommendations in this area. The report\ndoes note additional Title II debt system corrective measures recently\nimplemented by SSA. We also continue to implement accounting improvements\nto the Title XVI debt management systems, and have formed an intercomponent\nteam to resolve all remaining Title XVI debt management weaknesses.\nReport on Compliance With Laws and Regulations\nLegal Requirements to Notify Beneficiaries of Due\nProcess Rights\nOIG Recommendation\nWe recommend that SSA, in consultation with the Office\nof the General Counsel, take such action as is necessary to rectify\nits continuing noncompliance with laws and regulations in this regard.\nSSA Comment\nAs noted in the OIG report, we recently implemented\na systems change to eliminate the continuance of the noncompliance\nproblem and assure proper overpayment notification in the future.\nWe, therefore, are not in continuing noncompliance with the applicable\nlaws and regulations. With regard to notification of those members\nof the previously affected Title XVI population, we plan to investigate\nthe relevant statutory requirements relating to due process rights\nnotification, and the options available to the Agency to appropriately\nnotify these individuals.\nOIG Note\nMaterial was deleted from SSA`s comments relating\nto information in the draft report which was changed in the final\nreport.\nContinuing Disability Reviews (CDR)\nOIG indicates that SSA`s CDR mailer process is\nthe right approach for addressing CDR case backlogs. OIG does not\noffer any new recommendations, and we have no additional comments\non processing of the backlogs.\nPrivacy Policy | Website\nPolicies & Other Important Information\xc2\xa0| Site\nMap\nNeed Larger Text?\nLast reviewed or modified'